Step 2: Configure Auditbeat
editStep 2: Configure Auditbeat
editTo configure Auditbeat, you edit the configuration file. The default
configuration file is called auditbeat.yml
. The location of the file
varies by platform. To locate the file, see Directory layout.
There’s also a full example configuration file called auditbeat.reference.yml
that shows all non-deprecated options.
See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.
To configure Auditbeat:
-
Define the Auditbeat modules that you want to enable. Auditbeat uses modules to collect the audit information. For each module, specify the metricsets that you want to collect.
The following example shows the
file_integrity
module configured to generate events whenever a file in one of the specified paths changes on disk:auditbeat.modules: - module: file_integrity paths: - /bin - /usr/bin - /sbin - /usr/sbin - /etc
If you accept the default configuration without specifying additional modules, Auditbeat uses a configuration that’s tailored to the operating system where Auditbeat is running.
See Configuring Auditbeat for more details about configuring modules.
-
Configure the output. Auditbeat supports a variety of outputs, but typically you’ll either send events directly to Elasticsearch, or to Logstash for additional processing.
To send output directly to Elasticsearch (without using Logstash), set the location of the Elasticsearch installation:
-
If you’re running our hosted Elasticsearch Service on Elastic Cloud, specify your Cloud ID. For example:
cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
-
If you’re running Elasticsearch on your own hardware, set the host and port where Auditbeat can find the Elasticsearch installation. For example:
output.elasticsearch: hosts: ["myEShost:9200"]
To send output to Logstash, Configure the Logstash output instead. For all other outputs, see Configure the output.
-
-
If you plan to use the sample Kibana dashboards provided with Auditbeat, configure the Kibana endpoint. You can skip this step if Kibana is running on the same host as Elasticsearch.
-
If Elasticsearch and Kibana are secured, set credentials in the
auditbeat.yml
config file before you run the commands that set up and start Auditbeat.-
If you’re running our hosted Elasticsearch Service on Elastic Cloud, specify your cloud auth credentials. For example:
cloud.auth: "elastic:YOUR_PASSWORD"
-
If you’re running Elasticsearch on your own hardware, specify your Elasticsearch and Kibana credentials:
output.elasticsearch: hosts: ["myEShost:9200"] username: "filebeat_internal" password: "YOUR_PASSWORD" setup.kibana: host: "mykibanahost:5601" username: "my_kibana_user" password: "YOUR_PASSWORD"
This examples shows a hard-coded password, but you should store sensitive values in the secrets keystore.
The
username
andpassword
settings for Kibana are optional. If you don’t specify credentials for Kibana, Auditbeat uses theusername
andpassword
specified for the Elasticsearch output.To use the pre-built Kibana dashboards, this user must have the
kibana_user
built-in role or equivalent privileges.For more information, see Securing Auditbeat.
-
To test your configuration file, change to the directory where the
Auditbeat binary is installed, and run Auditbeat in the foreground with
the following options specified: ./auditbeat test config -e
. Make sure your
config files are in the path expected by Auditbeat (see Directory layout),
or use the -c
flag to specify the path to the config file.
Before starting Auditbeat, you should look at the configuration options in the configuration file. For more information about these options, see Configuring Auditbeat.